Zone labs states the following in a release concerning WORM_RBOT
"The Zone Labs vsmon.exe process will never request network access. Any program using this name and requesting network access should be treated with caution and denied network access."
On my system I have vsmon.exe connecting to unknown.leve13.net (note this is leve 13 (the number) dot net NOT level 3 dot net) and several other IPs which appear suspect and have nothing obvious to do with Zone Labs. All the internet connections made my vsmon.exe are to IP addresses without a DNS lookup. The only way to identify these sites is to do an IP whois to find out who owns the ip address. I've manually restricted the IP range of vsmon.exe by entering each IP range it accesses one after another just to find it using a new range the next time I check. I also tried to enter vsmon.exe as a program so I could get it under control just to find it doesn't show up in the list after it is added.
Based on the statements by Zone Labs that this program will never request internet access, the program on my machine smells like a worm to me. The program is HUGE, makes internet contact even when the program is told not to check for updates, and opens 2-4 http 80 ports on foreign machines as shown by netstat -a -b. How do I get rid of this wormy program?
K & C ********
Owners of a company that is almost bankrupt due to security breeches and hackers.
Operating System:Windows XP Pro
Product Name:ZoneAlarm Internet Security Suite